Skip to content

Attempting to publish to Sonatype staging fails to produce checksums #718

New issue
New issue
Closed
Closed
Attempting to publish to Sonatype staging fails to produce checksums#718
@dblock

Description

@dblock
dblock
opened on Oct 6, 2021

Not sure this is a shadow problem, but would really appreciate some help.

Coming from https://github.com/opensearch-project/common-utils

We used to publish a component to Sonatype Staging, and in build.gradle had the following:

publishing {
    publications {
        shadow(MavenPublication) {
            project.shadow.component(it)
            ...
        }
    }
    repositories {
        maven {
            name = "sonatype-staging"
        }
    }
    signing {
        required { gradle.taskGraph.hasTask("publishShadowPublicationToSonatype-stagingRepository") }
        sign publishing.publications.shadow
    }
}

That worked well by invoking gradle publishShadowPublicationToSonatype-stagingRepository.

Since then our process needed to change by assembling a combined build out of several repositories from source, and instead of common-utils publishing to Sonatype staging we did common-utils -> mavenLocal -> Sonatype Staging via this script. As a result, we no longer see .md5 and .sha1 checksums in Sonatype staging, and that fails Sonatype checks to promote to maven central.

My initial reaction was to figure out how to generate those checksums during publishToMavenLocal. There's a similar unanswered SO, too. Looking at this code.

The solution I found was:

tasks.withType(Jar) { task ->
    task.doLast {
        ant.checksum algorithm: 'md5', file: it.archivePath
        ant.checksum algorithm: 'sha1', file: it.archivePath
        ant.checksum algorithm: 'sha-256', file: it.archivePath, fileext: '.sha256'
        ant.checksum algorithm: 'sha-512', file: it.archivePath, fileext: '.sha512'
    }
}

Invoking gradle publishShadowPublicationToMavenLocal generated the .md5 and .sha1 files.

  1. Shouldn't shadow be automatically always creating signatures as it seems to claim in the docs?
  2. Is there a way to patch publishToMavenLocal to include these signatures?
  3. Should shadow be doing (2).
  4. Is this the best way to achieve this?

Shadow Version

7.1.0

Gradle Version

6.4

Expected Behavior

Expecting shadow publish to always include .md5 and .sha1 checksums.

Actual Behavior

Only publishes .pom, .xml, .jar.

Gradle Build Script(s)

https://github.com/opensearch-project/common-utils/blob/main/build.gradle

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions